Solved: Deleting unused transactions from roles

Former Member · ‎01-16-2011

I am planning for unused transaction cleanup activity for SAP roles as mentioned below.

There are lot of roles which are copied from SAP menu due to which they consist of around 1000 transactions. Now I know there will be around 50 transactions which might be used and rest of them not used at all. I have made the strategy to find all the transactions which are not used during the last 3 months(using ST03N) and than consult the list with the role owners and delete the unused transactions.

I would like to know whether this is the correct strategy to follow, will the ST03N data-> transactional profile provides the relevant data to sort out the transactions not used in last 3 months. Please suggest or any alternative strategy can be followed. I know about sm19 audit log, but the problem is that it cannot be activated for all the users due to file space and performance issues.

Regards,

Sanjay

Former Member · ‎01-16-2011

There are lot of roles which are copied from SAP menu due to which they consist of around 1000 transactions.

I am tempted to move this to the Test&Playground forum, because that is what building authorization roles from SAP Menü navigation nodes is.

If course if you do not care and it is better than manual profiles then it is not all bad, so I will leave it here in the security forum fir now.

From my side, if you have no clue... then go for the SAP standard roles and copy them into your own namepsace and work from there to start with. Check the objects included against audit check lists as step two. Take a closer look when you have a chance as step three (there are many manual auths in there...). You will be better off this ways than inventing roles of your own without any tcode or blue-print infos.

I would however still not call it "best practice" and it will backfire over time, but it can be done in a few days (so that you can get your bones out of the project and onto the next one without learning about the pain-points).

Eventually you become a professional bull-****...

Cheers,

Julius

Former Member · ‎01-16-2011

There are lot of roles which are copied from SAP menu due to which they consist of around 1000 transactions. Now I know there will be around 50 transactions which might be used and rest of them not used at all.

In my opinion its far easier to create a new role with 50 used transactions rather than removing 950 transactions from the role and adjusting thousands of authorization objects in the role.

ST03N is not an audit log and hencr not 100% dependable in your case. Sm20 log would be more appropriate and trustworthy source as per my knowledge. But make sure you run the list of transactions you are going to add to the new role through business for their confirmation

and save yourself from the blame-game afterwards.

Thanks

Sandipan

Former Member · ‎01-16-2011

There are lot of roles which are copied from SAP menu due to which they consist of around 1000 transactions.

I am tempted to move this to the Test&Playground forum, because that is what building authorization roles from SAP Menü navigation nodes is.

If course if you do not care and it is better than manual profiles then it is not all bad, so I will leave it here in the security forum fir now.

From my side, if you have no clue... then go for the SAP standard roles and copy them into your own namepsace and work from there to start with. Check the objects included against audit check lists as step two. Take a closer look when you have a chance as step three (there are many manual auths in there...). You will be better off this ways than inventing roles of your own without any tcode or blue-print infos.

I would however still not call it "best practice" and it will backfire over time, but it can be done in a few days (so that you can get your bones out of the project and onto the next one without learning about the pain-points).

Eventually you become a professional bull-****...

Cheers,

Julius

Former Member · ‎01-17-2011

Thanks all for the suggestions. I understand that it will be easy to create the new role with small number of transactions rather than deleting lot of transactions. Copying the SAP sandard roles will again provide the transactions which all will not be required and some have to be deleted. I think to select only the transactions in use and consult with the role owners and create the new roles thereafter.

Former Member · ‎01-17-2011

Hi,

Alternately, you can also download the role from SAP and open it in notepad. Then remove all entries for the tcodes, you would want to delete from the role, in the text file which begins with "AGR_TCODES" and "AGR_HIER". Upload the role again and regenerate the profile afterwards in "Expert mode" of PFCG to adjust the authorizations inside the role. This would remove the tcodes from PFCG role menu.

Chances of error are more in this method and creation of new role with only the required tcodes should be easier and simpler.However, you may give it a try in your sandbox and see if it works.

Thanks

Sandipan

Edited by: Sandipan Choudhury on Jan 17, 2011 6:52 PM

Former Member · ‎01-17-2011

Hi Sandipan

Hacking the multiple entries for the mass of unused transactions (think there are usually at least three per tcode) would be one of those seat of the (brown) pants jobs

IMHO creating from scratch and applying to the user knowing you still have the original role with all its authorisations in the system for a while just in case it went pear-shaped would avoid the use of toilet paper...

Cheers

David

Former Member · ‎01-17-2011

Hi Sanjay,

I went through the same procedure during last year while doing a security redesign for HR.

1. Its better that you take a 6 Months data from the ST03 transaction which includes year/quarter/month end transactions. Some transactions are run only once in a year but are very important.

2. Make sure that you check the TCDCOUPLES table for the called/calling transacitons. ST03 may not list all the called trasnactions in the report.

3. Make a note of all the manually added objects. Since, deleting transactions itself will not take away the manually added/changed objects.

4. Make sure you have downloaded all your roles before you start with deleting the roles.

Hope this helps.

Former Member · ‎01-18-2011

Hello Daniel,

the table TCDCOUPLES is a good method to check all the called transactions in the background as well. Though I would like to confirm if we can check the transactions executed and called from table TCDCOUPLES than now why to keep a track on STO3N entries. I mean from a single source TCDCOUPLES we can track all the transactions executed directly or called in the backround. Bcoz I found there are lot more transactions in table TCDCOUPLES which are not present in ST03N.

Also I would like to know SM19 audit log shows the transactions called in the background when user execute any transaction.

Sanjay